aws nacl sg security_group network https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison
Network ACL is kinda similar with the security group, it will help to define and add another layer to allow or deny traffic that comes to the subnet.
| Network ACL | Security group |
|---|---|
| Operate at subnet level | Operate at the instance level |
| Applied to all intances inside the subnet | Applied to one instance if it is associated |
| Allow and Deny rules | Allow rules |
| Evalute rules by orders | Evalute all rule at the same time before traffic can come to the instance |
| Stateless: returned traffic only if it’s explicitly allowed by all rules | Stateful: return traffic immediately if it is allowed by one rule, and regarless of the rules |
| ACL does the stateless inspection, it checks the package and does not know about the state, where the package comes from | SG does the stateful check, its knows the conversation of the package and states of the package |
NACL and SG
Link to original